Overlay networking in OT environments is a virtual network layer built on top of existing physical infrastructure using tunneling protocols and DNS or routing-based traffic steering. It enables network segmentation, access control, and encrypted communication without modifying the underlying switches, routers, or cabling.
How overlay networking works in OT
An overlay network creates logical point-to-point tunnels between enrolled devices. Each device runs a lightweight agent or connects through a local gateway appliance. The agent encrypts traffic destined for other overlay members, encapsulates it inside standard IP packets, and sends it across the existing physical network (the underlay). The receiving agent decapsulates and decrypts the traffic before delivering it to the destination application.
The key distinction between overlay networking and VLANs is the enforcement layer. A VLAN operates at Layer 2 and depends on switch port configuration and 802.1Q tags for segmentation. Any device on the correct switch port joins the VLAN, regardless of its identity. An overlay network operates at Layer 3 or above and binds access to cryptographic identity. A device must authenticate with valid credentials before it can join the overlay, regardless of which physical switch port it occupies.
Overlay networks in OT environments typically use the 100.64.0.0/16 CGNAT address range for overlay IP assignments. This range is reserved by IANA and does not conflict with the RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) commonly used on production OT networks. This avoids the IP renumbering that would be required if the overlay used addresses already present on the underlay.
Because the overlay is software-defined, its topology is independent of the physical network topology. Two devices on different subnets, different buildings, or different sites can be placed in the same overlay segment. Conversely, two devices on the same physical switch can be isolated from each other if they belong to different overlay segments.
Why overlay networking suits brownfield OT
Brownfield OT environments present unique constraints that make traditional segmentation approaches impractical. Production networks have accumulated decades of organic growth with undocumented dependencies between devices. IP addresses are hard-coded into PLC programs, HMI configurations, and historian connection strings. Changing a single IP address can require revalidation of an entire control loop.
Overlay networking avoids these constraints entirely. The physical network remains unchanged. Devices keep their existing IP addresses for legacy communication. The overlay assigns a second, overlay-scoped address for protected communication. This dual-stack approach means that a device can communicate with legacy systems over the underlay while simultaneously participating in identity-enforced segments on the overlay.
The deployment process does not require network downtime. An overlay gateway appliance connects to a spare switch port, and devices are enrolled incrementally. Each enrollment is independently reversible. This incremental approach is compatible with OT change management processes that restrict modifications to narrow maintenance windows.
OT and industrial context
A pharmaceutical manufacturing facility with validated systems under FDA 21 CFR Part 11 cannot modify network configurations without re-qualifying affected production lines. Overlay networking allows the facility to add segmentation and access control without triggering a revalidation cycle, because the underlay network that the validated systems depend on is not altered.
In oil and gas, distributed wellhead controllers across a wide geographic area may share a flat MPLS network with no segmentation between sites. An overlay can group controllers by function or security zone, creating logical microsegments that span the physical topology without modifying the carrier-provided MPLS configuration.
Compliance relevance
Overlay networking supports segmentation and boundary protection requirements across multiple frameworks. NIST SP 800-171 SC-7 (boundary protection) and AC-4 (information flow enforcement) are directly satisfied by overlay-enforced access policies. IEC 62443 zones and conduits can be mapped to overlay segments. CMMC Level 2 enclave requirements are met by identity-enforced overlay boundaries. NIS2 network segmentation obligations are addressed without requiring physical infrastructure changes.
Related terms
Access Gate connection
Access Gate deploys overlay networking in OT environments using the lollipop architecture, creating identity-enforced segments in the 100.64.0.0/16 range without modifying the physical underlay. Learn more at What is overlay networking.
